Firms Unite to Hunt Threats From Network to Endpoint

Two threat hunting and detection companies have integrated their products to give greater visibility and protection across the entire infrastructure. Corvil, with expertise in real-time traffic analysis, and Endgame, with expertise in endpoint protection, can now share threat intelligence between the two platforms with a single click.

“The challenge today between endpoint security and network security,” explains David Murray, Corvil chief business development officer, “is that they often tend to exist each in their own domain, when one of infosecurity’s multipliers is the ability to integrate and be able to track a threat across the network and into the endpoint.”

Organizations may have dozens of different security tools and technologies that do not adequately talk to each other. “The result,” says Murray, “is that security analysts remain horribly overburdened.” Training existing staff to a higher skill-set, or buying in new experts is often not an option. “It is important,” he continued, to take the intelligence and analytics that we provide and seamlessly integrate it with other security technologies. We’ve already done this with Cisco’s Tetration. Today we’re announcing two further integrations, one with Endgame and the other with Palo Alto Networks, that enable comprehensive protection from the perimeter through the network and inclusive of the endpoint.”

Endgame’s endpoint threat detection platform can see endpoint threats at the kernel level and in memory, but can lose visibility into the path of anomalous communication that leaves the endpoint. “Similarly,” adds Murray, “anything that tries to compromise an individual host or server endpoint of any kind has to travel over the network in order to get there. By sharing intelligence back and forth between our two platforms, we’re able to provide a stronger fabric for protection.”

Both Corvil and Endgame share similar philosophies and have a history of protecting some of the most sensitive and attacked infrastructures: Corvil in fintech, and Endgame in defense and military. Both believe organizations cannot wait to be breached but need to take an aggressive threat-hunting approach to network defense.

“The techniques attackers use today are increasingly aggressive, complex, and difficult to detect,” comments Nate Fick, Endgame’s CEO. “Security solutions that only identify customer breaches after damage and loss are no longer acceptable. Corvil shares our philosophy of direct, aggressive protection. Extending the visibility, we can offer customers across the network and endpoint represents the most comprehensive solution available on the market.”

Both also share the view that their role is to make hunting and protection as easy as possible for the analyst, reducing the customer’s reliance on expensive expert analysts. Each has their own virtual assistant. Corvil’s Cara automatically generates daily risk reports, while Endgame’s Artemis is a natural-language Siri-like assistant that will answer questions like, “What is suspicious on my network today?”

“One of the things we’re planning to release in the second phase of integration,” Murray told SecurityWeek, “is to extend the capabilities of our respective virtual experts to give both platforms the ability to stretch much further across an attack lifecycle, and be able to triangulate information to make a more active and more precise response.”

Speed in detecting a threat loses its value if there is a subsequent delay in responding to that threat. Both platforms have their own built-in response capabilities. Corvil also integrates with Palo Alto Networks (PAN) firewalls. Where PAN micro-segmentation is employed, Corvil can initiate a firewall road block to PAN to isolate the risky host. Similarly, Endgame, has its own more surgical disruptions it can introduce within the host or endpoint.

“Let’s say Corvil detects a risky host,” explains Murray. “With one click the analyst can see the result in Endgame, and they can trigger an action right there. Similarly, if someone is working in Endgame and has questions about the downstream communication of a suspicious host, the analyst can bring up information about the communication in Endgame and then click to Corvil to further investigate it. Corvil could initiate a firewall road block in PAN directly from Corvil. Corvil can determine the source of the bad behavior and block it so that it can no longer communicate through the firewall. Alternatively, there could be a more surgical disruption within the source through Endgame.”

The Corvil/Endgame integration is available from today to early adopter customers.

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.